Data Privacy Considerations in Cross-Border Employee Discipline
By: Rashel Ann C. Pomoy and Lawrence Ivan Manalo
The Philippines operates as a base for multinational corporations with operations in the country. In many of these organizations, certain business functions, including human resources, may be handled by foreign counterparts. This creates situations where matters involving employee discipline may be handled, in whole or in part, by units based outside the Philippines, thereby requiring the transfer of documentation across borders.
The Data Privacy Act treats any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when taken together with other information would directly and certainly identify an individual as personal information.1 This broad definition, within the employment context, necessarily includes relevant employment records, such as evaluations, attendance records, and disciplinary history. Thus, transfers covering personal information must comply with the Data Privacy Act.
The Principles of Data Privacy
Under the Philippine framework, the processing, including the collection and transfer, of any personal information must adhere to the three core principles of data privacy, namely, transparency, legitimate purpose, and proportionality.2 These principles translate into the following practical obligations:
First, the employer’s privacy notice must include the categories of personal information that will be processed, how such information will be processed, and the purpose for such processing. In this context, the privacy notice must specify that relevant employment records may be transferred to specific jurisdictions for purposes of employee management and discipline or the conduct of factual investigations.
Second, any transfer must only cover such information as may be necessary to determine whether there is a sufficient basis to impose disciplinary action on an employee. Thus, other records that are not relevant to the ongoing investigation or proceedings should be excluded.
Lastly, as a matter of best practice, employers should maintain an internal data transfer agreement within the organization that sets out formal obligations and responsibilities. The internal safety and security protocols for the handling and usage of any personal information may also be integrated in this agreement. While such agreements are optional and do not create any basis to deem transfers legal,3 they may still help demonstrate the employer’s good faith, commitment to data privacy, and the lawful processing of personal information.
The Element of Consent
Personal information, when not sensitive or privileged, may be processed even without the consent of the affected employees, provided that the same is based on some other lawful basis. In this context, the processing and transfer may be justified by the need to facilitate employee discipline, which, in turn, may be construed as necessary for purposes of employee management.4
A stricter framework applies when the records involve sensitive personal information or information falling under the following categories: 5
a. About the employee’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
b. About their health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by the employee, the disposal of such proceedings, or the sentence of any court in such proceedings;
c. Issued by government agencies specific to the employee, including social security numbers, licenses or their denial, suspension or revocation, and tax returns; and
d. Specifically established by an executive order or an act of Congress to be kept classified.
Certain circumstances may call for the transfer of such sensitive personal information, especially when there is a claim involving fraudulent licenses, gender-based sexual harassment, or discrimination. In such instances, the relevant documentation must be processed only with the consent of the employees.6
To avoid gaps in coverage, employee consent should be obtained at the outset of the employment relationship, providing a clear basis for processing both ordinary and sensitive personal information.7
Compliance with Philippine Labor Law
Notwithstanding that foreign counterparts may handle the disciplinary proceedings, the same must still comply with Philippine Labor Law when the subject employees are based in the Philippines, even if they are not Filipinos.8
There must be compliance with the substantive due process requirements in accordance with Art. 297 of the Labor Code, which means that dismissal must be grounded on the following:
a. Serious misconduct or willful disobedience by the employee of the lawful orders of the employer or its representative in connection with the employee’s work;
b. Gross and habitual neglect by the employee of their duties;
c. Fraud or willful breach by the employee of the trust reposed in them by the employer or its duly authorized representative;
d. Commission of a crime or offense by the employee against the person of the employer or any immediate member of the employer’s family or its duly authorized representatives; and
e. Other causes analogous to the foregoing.
The process must likewise comply with the procedural requirements under Philippine labor law which include:9
a. The issuance of a first notice or the Notice to Explain containing the specific grounds for termination, a detailed narration of the facts and circumstances, and a directive for the employee to submit a written explanation within at least five (5) calendar days from receipt.
b. If requested by the employee, or if deemed needed by the employer, the employer may also conduct an administrative hearing to provide the employee a further opportunity to explain their side.
c. The issuance of the second notice or the Notice of Dismissal indicating that the Company has considered all circumstances and that the grounds for imposing disciplinary action (including termination) have been established.
Thus, while employment records may be transferred to foreign counterparts to allow their participation in the administrative proceedings involving local employees, such transfer must be premised on proper compliance with the Philippine data privacy framework.
Further, such proceedings, at their core, must likewise still comply with the substantive and procedural due process requirements prescribed by Philippine labor law.
1. Section 3(g), Data Privacy Act.
2. Section 11, Data Privacy Act.
3. Section 1(c), NPC Advisory No. 2025-01.
4. Section 12(f), Data Privacy Act.
5. Section 3(l), Data Privacy Act.
6. Section 13(a), Data Privacy Act. While there are other grounds for processing sensitive personal information, these may not be relevant in the context of employee discipline.
7. Sections 12(a) and 13(a), Data Privacy Act.
8. Pacific Consultants International Asia, Inc. v. Schonfeld, 545 Phil 116 (2007).
9. PLDT vs. Domingo, 906 Phil 209-235 (2021)
